Hospital cyberattack investigation complete no formal review needed

pThe Information and Privacy Commissioner of Ontario IPC has completed a review into a massive cyberattack on five regional hospitals in 2023 and found hospital officials acted adequatelyppBut in its decision the IPC said the investigator found the custodians of the information did not notify affected individuals regarding the ransomware encryption and its impact on the patients personal health information which they were required to do under the lawppThe hackers stole and disclosed the personal health information of hundreds of thousands of patients at Bluewater Health ChathamKent Health Alliance Erie Shores HealthCare HôtelDieu Grace Healthcare and Windsor Regional Hospital during the ransomware attack in October 2023ppI find that although the custodians appropriately notified individuals affected by the data exfiltration they were also required to notify those affected by the hostile encryption which they did not Despite this finding I decide that there is no useful purpose in ordering additional notification at this stage concluded the IPC In light of the measures taken to contain investigate and remediate the incident the investigator finds that the custodians have responded adequately to the breach and concludes that a review of this matter under Part VI of the Act is not warrantedppThe hospitals issued a joint statement on Wednesday saying they appreciate the IPCs thorough investigation into this matter and they are pleased that the IPC has acknowledged the efforts by the hospitals and TransForm Shared Service Organization to contain the breach after it occurredppThe hospitals are also pleased improvements made to data and information protections since the ransomware cyberattack were acknowledged by the IPCppWe acknowledge that the IPC has noted concern surrounding the notification of individuals whose data was encrypted by the threat actors In response to this incident the hospitals issued regular news releases describing the impact on data and operations participated in multiple press conferences and directly notified more than 300000 individuals of the incident read the joint statement by the local hospitalsppThe hospital group also noted it is dedicated to ensuring continued adoption of best practices in an everchanging global cybersecurity environmentppThe hospitals added they are unable to comment further due to ongoing litigationppThe investigation revealed the hackers infiltrated TransForms network by leveraging three compromised administrator accounts associated with the networkppThey gained access to health records and other information by leveraging one administrator account to establish external VPN connection to the network According to the IPC this account held privileges that allowed access to the entire network adding the hackers initially entered the network at the segmented portion dedicated to Bluewater HealthppThe hackers were then able to live off the land by gaining access to the network using a legitimate account and avoid detection said the IPC adding eventually the hackers used the same account to move and infiltrate deeper into other parts of the networkppFinally the IPC reported the hackers used a third administrator account which had access to controls over the local operating system of the overall network to deploy a script which automatically encrypted the networks virtual server infrastructure resulting in the encryption of 192 virtual serversppThe servers affected were mostly servers that supported the hospitals clinical care and diagnostic testing procedures and backoffice administrative functionsppThe investigation also revealed the hospitals network was not equipped with multifactor authenticationppThe custodians submitted that the forensic investigation was unable to determine how these accounts had their credentials compromised However based on the information provided the compromise of these administrator accounts played a pivotal role in enabling the ransomware attack wrote the IPCppThe IPC also noted its satisfaction that the custodians have put in place appropriate measures to contain and remediate the incident and to ensure reasonable safeguards but it also made recommendations for the custodians to further improve their practicesppThe Toronto Blue Jays won their eighth in a row Sunday 32 over the visiting LA AngelsppThe Ontario Compensation Employees Union announced on Sunday that its members have accepted the tentative collective agreement that was negotiated by the bargaining committeeppEntegrus Inc is asking customers in Ridgetown to reduce electricity usageppHundreds of customers were without power because of a crashppThe Toronto Blue Jays defeated the visiting LA Angels in game two of their seriesppNora Pharma is recalling several bottles of its NRAAmlodipine a blood pressure medication as some of its 5mg tablet bottles may include the wrong medicationp